topic How to extract Json array of objects data into table format in Splunk ? in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-to-extract-Json-array-of-objects-data-into-table-format-in/m-p/494134#M137775 <P>Example data : <BR /> We need to extract below json data into table format in Splunk ?<A href="https://answers.splunk.comstorage/temp/287582-json.txt">link text</A></P> <P>"assets": [<BR /> {<BR /> "id": 1,</P> <PRE><CODE> "last_seen_time": "2020-02-26T16:23:06Z", "network_ports": [ { "id": 100, "port_number": 111, "extra_info": "", "hostname": null, "name": "unknown", "ostype": "", "product": null, "protocol": "tcp", "state": "open", "version": null }, { "id": 343, "port_number": 444, "extra_info": "", "hostname": null, "name": "unknown", "ostype": "", "product": null, "protocol": "tcp", "state": "open", "version": null }, ], "tags": [ "Loc: Ajay" ], "owner": null, "urls": { "vulnerabilities": "google.com/examples/1012/tests" }, "ip_address": "1.1.0.91", "database": null, "hostname": "swetha", "asset_groups": [ { "id": 191300, "name": "All examples" } ] }, { "id": 1012, "last_seen_time": "2020-02-26T16:23:06Z", "network_ports": [ { "id": 331, "port_number": 135, "extra_info": "", "hostname": null, "name": "unknown", "ostype": "", "product": null, "protocol": "tcp", "state": "open", "version": null }, { "id": 343, "port_number": 444, "extra_info": "", "hostname": null, "name": "unknown", "ostype": "", "product": null, "protocol": "tcp", "state": "open", "version": null }, ], "tags": [ "Loc: NorthCEE" ], "owner": null, "urls": { "vulnerabilities": "google.com/examples/2/tests" }, "ip_address": "1.1.0.92", "database": null, "hostname": "sweety", "asset_groups": [ { "id": 191300, "name": "All exs" } ] }, </CODE></PRE> <P>]</P> Wed, 11 Mar 2020 08:00:40 GMT harishalipaka 2020-03-11T08:00:40Z How to extract Json array of objects data into table format in Splunk ? https://community.splunk.com/t5/Splunk-Search/How-to-extract-Json-array-of-objects-data-into-table-format-in/m-p/494134#M137775 <P>Example data : <BR /> We need to extract below json data into table format in Splunk ?<A href="https://answers.splunk.comstorage/temp/287582-json.txt">link text</A></P> <P>"assets": [<BR /> {<BR /> "id": 1,</P> <PRE><CODE> "last_seen_time": "2020-02-26T16:23:06Z", "network_ports": [ { "id": 100, "port_number": 111, "extra_info": "", "hostname": null, "name": "unknown", "ostype": "", "product": null, "protocol": "tcp", "state": "open", "version": null }, { "id": 343, "port_number": 444, "extra_info": "", "hostname": null, "name": "unknown", "ostype": "", "product": null, "protocol": "tcp", "state": "open", "version": null }, ], "tags": [ "Loc: Ajay" ], "owner": null, "urls": { "vulnerabilities": "google.com/examples/1012/tests" }, "ip_address": "1.1.0.91", "database": null, "hostname": "swetha", "asset_groups": [ { "id": 191300, "name": "All examples" } ] }, { "id": 1012, "last_seen_time": "2020-02-26T16:23:06Z", "network_ports": [ { "id": 331, "port_number": 135, "extra_info": "", "hostname": null, "name": "unknown", "ostype": "", "product": null, "protocol": "tcp", "state": "open", "version": null }, { "id": 343, "port_number": 444, "extra_info": "", "hostname": null, "name": "unknown", "ostype": "", "product": null, "protocol": "tcp", "state": "open", "version": null }, ], "tags": [ "Loc: NorthCEE" ], "owner": null, "urls": { "vulnerabilities": "google.com/examples/2/tests" }, "ip_address": "1.1.0.92", "database": null, "hostname": "sweety", "asset_groups": [ { "id": 191300, "name": "All exs" } ] }, </CODE></PRE> <P>]</P> Wed, 11 Mar 2020 08:00:40 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-Json-array-of-objects-data-into-table-format-in/m-p/494134#M137775 harishalipaka 2020-03-11T08:00:40Z Re: How to extract Json array of objects data into table format in Splunk ? https://community.splunk.com/t5/Splunk-Search/How-to-extract-Json-array-of-objects-data-into-table-format-in/m-p/494135#M137776 <PRE><CODE>| makeresults | eval _raw="\"assets\":[{\"id\":1,\"last_seen_time\":\"2020-02-26T16:23:06Z\",\"network_ports\":[{\"id\":100,\"port_number\":111,\"extra_info\":\"\",\"hostname\":null,\"name\":\"unknown\",\"ostype\":\"\",\"product\":null,\"protocol\":\"tcp\",\"state\":\"open\",\"version\":null},{\"id\":343,\"port_number\":444,\"extra_info\":\"\",\"hostname\":null,\"name\":\"unknown\",\"ostype\":\"\",\"product\":null,\"protocol\":\"tcp\",\"state\":\"open\",\"version\":null}],\"tags\":[\"Loc: Ajay\"],\"owner\":null,\"urls\":{\"vulnerabilities\":\"google.com/examples/1012/tests\"},\"ip_address\":\"1.1.0.91\",\"database\":null,\"hostname\":\"swetha\",\"asset_groups\":[{\"id\":191300,\"name\":\"All examples\"}]},{\"id\":1012,\"last_seen_time\":\"2020-02-26T16:23:06Z\",\"network_ports\":[{\"id\":331,\"port_number\":135,\"extra_info\":\"\",\"hostname\":null,\"name\":\"unknown\",\"ostype\":\"\",\"product\":null,\"protocol\":\"tcp\",\"state\":\"open\",\"version\":null},{\"id\":343,\"port_number\":444,\"extra_info\":\"\",\"hostname\":null,\"name\":\"unknown\",\"ostype\":\"\",\"product\":null,\"protocol\":\"tcp\",\"state\":\"open\",\"version\":null}],\"tags\":[\"Loc: NorthCEE\"],\"owner\":null,\"urls\":{\"vulnerabilities\":\"google.com/examples/2/tests\"},\"ip_address\":\"1.1.0.92\",\"database\":null,\"hostname\":\"sweety\",\"asset_groups\":[{\"id\":191300,\"name\":\"All exs\"}]}]" | rex mode=sed "s/(.*)/{\1}/" | spath </CODE></PRE> <P>This query works. If you want only searching, try this <CODE>rex</CODE> and <CODE>spath</CODE><BR /> I guess your JSON is not <STRONG>valid</STRONG>.</P> <P>recommed props.conf</P> <PRE><CODE>[your sourcetype] SEDCMD-add_header = s/(.*)/{\1}/ KV_MODE=json </CODE></PRE> Wed, 11 Mar 2020 12:01:55 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-Json-array-of-objects-data-into-table-format-in/m-p/494135#M137776 to4kawa 2020-03-11T12:01:55Z